VulnerableCode Package Details - pkg:pypi/nicegui@1.4.21

Search for packages

Vulnerability	Summary	Fixed by
VCID-fwyg-jtwk-kkbh Aliases: CVE-2026-25732 GHSA-9ffm-fxg3-xrhh PYSEC-2026-95	NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.	3.7.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-fwyg-jtwk-kkbh
Aliases:
CVE-2026-25732
GHSA-9ffm-fxg3-xrhh
PYSEC-2026-95

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.

3.7.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-yru8-rc3x-4uad	NiceGUI allows potential access to local file system NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key}/{path:path}` route. As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website. This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability.	CVE-2024-32005 GHSA-mwc7-64wg-pgvj

Vulnerability

Summary

Aliases

VCID-yru8-rc3x-4uad

NiceGUI allows potential access to local file system NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key}/{path:path}` route. As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website. This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2024-32005
GHSA-mwc7-64wg-pgvj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:47:35.638637+00:00	GitLab Importer	Fixing	VCID-yru8-rc3x-4uad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2024-32005.yml	38.6.0
2026-06-02T04:23:52.509458+00:00	Pypa Importer	Affected by	VCID-fwyg-jtwk-kkbh	https://github.com/pypa/advisory-database/blob/main/vulns/nicegui/PYSEC-2026-95.yaml	38.6.0

2026-06-02T04:47:35.638637+00:00

GitLab Importer

Fixing

VCID-yru8-rc3x-4uad

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2024-32005.yml

38.6.0

2026-06-02T04:23:52.509458+00:00

Pypa Importer

Affected by

VCID-fwyg-jtwk-kkbh

https://github.com/pypa/advisory-database/blob/main/vulns/nicegui/PYSEC-2026-95.yaml

38.6.0

Next non-vulnerable version	3.7.0
Latest non-vulnerable version	3.7.0
Risk